Data Processing Agreement

Last updated: 9 December 2024

This is the data processing agreement (the DPA) of GoPhoto B.V. (GoPhoto).

In the execution of the (master) services agreement between the Parties (the Agreement), GoPhoto processes Personal Data on behalf of the Client. The Client and GoPhoto are therefore under an obligation to conclude the DPA. GoPhoto and the Client are both a party to this DPA.

  1. Definitions
    Capitalised terms in this DPA shall have the meaning as set out in Annex 5.1 or if not found in Annex 5.1 it shall have the meaning as set out in the Agreement.
  2. Subject of the DPA
    1. This DPA is an addition to the Agreement. In the event of a conflict regarding the processing of Personal Data, the terms of this DPA will prevail over the terms of the Agreement, Parties’ privacy policies or the terms of any other agreement entered into between the Parties.
    2. The terms of this DPA apply to all the processing of Personal Data by Parties in connection with the execution of the Agreement.
    3. The Client acts as a controller (also called a ‘data controller’), in the sense of the GDPR. This means that the purpose and the means of the processing of personal data are determined by Client, and that Client uses this data for its own personal purposes.
    4. GoPhoto acts as a ‘processor’ in the sense of the GDPR. This means that GoPhoto only processes the personal data supplied by Client in accordance with Client’s written instructions, as described in this DPA or Agreement. GoPhoto shall not process the data for its own personal purposes.
  3. Execution of the processing
    1. In the execution of the Services, GoPhoto will handle the Personal Data in a careful manner and only process the Personal Data based on the assignment of the Client, in accordance with its written instructions and in accordance with the Agreement, this DPA and the GDPR.
    2. GoPhoto will not process the Personal Data for any other purpose than as determined by the Client. GoPhoto has no control over the purpose and means of the processing of the Personal Data.
    3. GoPhoto further guarantees that every person acting under its authority will process the Personal Data lawfully and in accordance with this DPA and the GDPR.
    4. At the request of the Client, GoPhoto will provide the Client with information about the (security) measures taken in order to comply with the obligations under the GDPR, the Agreement, this DPA and other instructions from the Client.
  4. Warranty Client
    The Client guarantees the processing of the Personal Data of the Data Subjects, as referred to in this Agreement, is not unlawful and does not violate the rights of others. The Client indemnifies GoPhoto against all claims relating to this.
  5. Transfer of personal data
    1. If the Client is situated outside the European Union, Gophoto shall still process the Personal Data in accordance with the GDPR.
    2. GoPhoto shall, at the request of the Client, notify him in which countries he processes personal data for the benefit of the Client.
  6. Security measures
    1. GoPhoto implements all appropriate technical and organisational measures to prevent loss of personal data or any form of unlawful processing. These measures shall guarantee an adequate level of protection of the personal data being processed.
    2. GoPhoto will at least take the security measures as set out in Annex 2.
    3. GoPhoto shall provide the Client with all available information to provide the Client assistance in carrying out security measures, conducting audits and inspections and carrying out data protection impact assessments.
  7. Security incidents
    1. GoPhoto will report any theft, loss, misuse or other form of data breach to the Client as soon as possible. This report includes, as far as possible, at least the following: the nature of the breach, the categories and scope of the personal data concerned, the likely consequences of the data breach, the measures GoPhoto has taken and the contact details for the Client to obtain more information.
    2. If needed, GoPhoto will fully cooperate to inform the authorities and Data Subjects about such security incidents or data breaches. In addition, GoPhoto will fully cooperate in carrying out risk assessments, analysing the cause of the incident or breach, identifying required corrective measures and implementing those measures.
  8. Duration and termination
    1. This DPA constitutes an integral part of the Agreement and shall automatically terminate upon termination of the Agreement.
    2. The Parties cannot terminate this DPA independently from the Agreement. If the Agreement is terminated, then this DPA will also be automatically terminated.
    3. If this DPA is terminated or dissolved, Parties must continue to comply with the provisions of this DPA regarding confidentiality, liability, indemnification and all other provisions that are intended by nature to remain applicable between the parties after terminations or dissolution of this DPA.
    4. If this DPA is terminated or dissolved, GoPhoto will return all data, including personal data, which are processed by GoPhoto based on the Agreement, to the Client at his request. Upon request, GoPhoto shall within 2 months of termination of the DPA safely remove or destroy all personal data, including any copies of it, unless GoPhoto is legally obliged to store the (personal) data for a longer period.
  9. Confidentiality and non-disclosure
    1. GoPhoto will treat all Personal Data and other data received by the Client as confidential. GoPhoto will limit the access to this data to persons working for GoPhoto, who need access to correctly process the data on behalf of the Client.
    2. All Personal Data GoPhoto receives based on the Agreement or the DPA are subject to a non-disclosure obligation towards third parties. All persons employed by or working for GoPhoto, as well as GoPhoto itself, are required to remain secrecy regarding the personal data.
    3. GoPhoto will not provide third parties with the (personal)data or copy, multiply or otherwise make the personal data public, without permission of the Client.
  10. Rights of Data Subjects
    1. GoPhoto will assist the Client with all requests which may be received from Data Subjects, such as the right to access, rectification or erasure.
    2. If GoPhoto receives a request from a third party to provide access to the Personal Data based on an alleged (legal) obligation, GoPhoto will inform the Client in writing before he provides the third party access, so the Client can assess whether the request is legitimate.
  11. People working under the authority of GoPhoto
    The obligations for GoPhoto arising from this Agreement also apply to those who process personal data under the authority of GoPhoto, including but not limited to employees.
  12. Sub-Processors
    1. GoPhoto may sub-contract the processing of the personal data to external parties. GoPhoto has sub-contracted (part of) the processing of the personal data to the following Sub-Processors: AWS (Amazon), Remove.bg
    2. GoPhoto may appoint new Sub-Processors for the processing of the personal data. GoPhoto will notify the Client of the addition or replacement of any Sub-Processors. The Client is then also offered the possibility to object to this. In addition, the Client may request an overview of all appointed Sub-Processors.
  13. Liability and Indemnification
    1. GoPhoto is responsible for all Personal Data (or other data) that the Client has shared with GoPhoto. GoPhoto indemnifies the Client against all claims by third parties or fines by an authority because of the transfer of this Personal Data.
    2. The limitations of liability as set out in Article 8 of the Terms (Indemnification, Liability and Insurance) apply to any liability resulting from this DPA or the use of the Personal Data.
  14. Miscellaneous and dispute resolution.
    Articles 15 and 16 of the Terms are inter alia applicable to this DPA.

ANNEX 5.1 – Definitions

Definition Explanation
Agreement The (master) services agreement between the Parties.
Data Subjects The visitors to the Client’s Location of which personal data is collected on the basis of the Agreement; data subjects within the meaning of what is specified in the GDPR.
DPA This data processing agreement, applicable between Parties.
GDPR General Data Protection Regulation.
Parties GoPhoto and Client referred to jointly.
Client The Client with the details as set out in the Agreement.
Personal Data Data which can be used either directly or indirectly to identify a natural person, as intended in the GDPR. In relation with Client, the processed personal data concern:

  • Photographs (biometrical data);
  • Contact & Payment data.
Purposes of processing The purpose of the data processing as subject of this DPA is limited to servicing the customers of Client with a photo memory.
Sub Processors Third parties, engaged by GoPhoto for the processing of personal data for the benefit of the Client.

ANNEX 5.2 – Security measures

Measures Explanation
Encryption Encryption of digital files containing Personal Data.
Anonymization GoPhoto extracts information from the photos of visitors through facial recognition software. This information is combined by GoPhoto into group data, separated from the biometrical data and subsequently stored anonymously. In this way, there is no link anymore between the visitor statistics and the Data Subjects.
Access restriction The access to the Personal Data is restricted to the authorized employees on a need-to-know basis.
Transport Layer Security Secure network connections with Transport Layer Security (TLS) technology or a non-deprecated technology that is similar to TLS.
Non-disclosure Non-Disclosure Agreements (NDA’s) are concluded in the event that confidential information is exchanged.
Maintaining measures Process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.